You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I propose setting up a local HTTP server to grab the OAuth2 authorization token directly (instead of going through https://oauth2.dance). There are a few reasons:
No more copy-pasting is needed for the token.
The domain registrar oauth2.dance is not Google (though maybe it was) and I prefer not to trust one more company.
It is trivial to set up an ephemeral HTTP server in Go.
The change will slightly simplify the procedure to obtain a new client ID.
I understand that many non-Google OAuth2 services seem to have issues about HTTP even for localhost, and there were security concerns when you don't trust all the local programs (e.g., Android), but none of these concerns seem to apply to the primary use case of sendgmail.
I looked into doing this about a year ago when I was getting the OAuth2 dance working again. The showstopper was not code complexity, but the requirement to support the browser being on another machine. My (extremely) layman's understanding is that using PKCE suffices to mitigate the risk if oauth2.dance gets hijacked.
I propose setting up a local HTTP server to grab the OAuth2 authorization token directly (instead of going through https://oauth2.dance). There are a few reasons:
oauth2.dance
is not Google (though maybe it was) and I prefer not to trust one more company.I understand that many non-Google OAuth2 services seem to have issues about HTTP even for
localhost
, and there were security concerns when you don't trust all the local programs (e.g., Android), but none of these concerns seem to apply to the primary use case ofsendgmail
.Related issue: #49 (OOB no longer works)
The text was updated successfully, but these errors were encountered: